A watering hole attack is a targeted attack where an individual or group gains access to a particular site and infects the computers of visitors with malware. The attackers exploit vulnerabilities in commonly used applications such as Java, Flash Player, Adobe Acrobat Reader and Internet Explorer. Once they gain control over one computer on the visitor’s network – often connecting through unsecured wireless connections – they can spread malware quickly through the victim company’s internal servers and systems.
How It Works
Watering hole attacks typically target very popular sites. These sites are more attractive to attackers because they can infect more computers and carry out their objectives undetected for a longer period. Hackers send emails with links or attachments to employees at the victim company – often posing as friendly associates – and wait for them to visit the site. The attackers are then able to exploit vulnerabilities in the browser, plug-in, or application that they missed during their vulnerability research.
Victims may not even know they’ve been given an infected USB stick. When an individual visits a site hosting malware, the user’s computer is compromised and becomes part of the attacker’s network. When additional employees visit the compromised site, they inadvertently download malware onto their machines as well. Attackers will monitor visitors to the site to see who has become part of their botnet. They can use these computers to send spam email, host phishing sites and/or attack other sites on the internet.
Where It Happens
Watering hole attacks have occurred against foreign affairs ministries, European energy companies, non-governmental organizations, and multinational corporations.
One of the most famous watering hole attacks was discovered in 2012 against The Council on Foreign Relations (CFR) website that potentially exposed its members to malware downloads.
Why They Are Used
Watering hole attacks are often associated with targeted attacks because they can be extremely difficult to detect. Attackers can maintain access to multiple machines across different organizations for long periods of time. Servers, desktops and even mobile devices that connect to the organization’s network can all be infected without detection. This makes it very likely that the attackers will gain access to critical data stores before being discovered.
Who Uses Them
There are several individual attackers and groups that can be responsible for a watering hole attack. Governments, criminal organizations and activist groups have all been known to use these attacks. The worry is that future watering hole attacks will not be used for espionage or data gathering but instead to sabotage an organization’s business operations.
How to Detect Watering Hole Attacks
Watering hole attacks are difficult to detect because:
- The sites that victims visit look safe and legitimate, so it may take days or months before anyone notices something malicious has happened. By then, your entire corporate network could be infected with malware that sends valuable information out from your organization unknowingly.
- The type of site that visitors land on is highly relevant. For a successfully targeted attack, a watering hole must be a site that the employees in your company or organization frequently visit.
- The actual exploit can happen when users’ browsers contact the attacked sites to load certain content. The attackers then infect the legitimate website with malware, so when users visit it, they are infected via drive-by download. In addition to targeting one site with malware, an attacker can infect several sites that victims might visit. The attackers simply need to host the malicious files on all those sites and ensure that the server hosting those websites redirects users to any of those victim locations. It is a process often known as a redirection attack.
- It can take time before you discover that there has been an incident and understand how it happened. Malware can be hidden on computers; it may not activate immediately or may remain hidden for some time after initial infection. Meanwhile, attackers will try to move laterally inside your network through vulnerable servers or workstations, which can go undetected for some time as well. Protecting your endpoints is essential, but it’s equally important to keep servers and systems patched and updated as often as possible.
- Attackers who use a watering hole attack strategy want to gain access to those machines that connect through an unsecured wireless connection to the target victim company. These connections are used by individuals who may not understand the risks associated with using open Wi-Fi connections in public places (coffee shops, airports, etc.) and trusting unknown hotspots.
How To Protect Your Company Against a Watering Hole Attack
- Keep your computer software patched regularly with the latest updates from manufacturers.
- Use antivirus programs to keep malicious code off your system(s).
- Have an advanced spam filter in place on email endpoint(s) to reduce phishing messages reaching users’ inboxes.
- Configure all browser add-ons and plug-ins to “click-to-play” so they are only active when you want them to be.
- Put restrictions on physical access devices, such as USB sticks, memory cards or external hard disks.
- Train your employees to be aware of the risks associated with clicking on suspicious emails and visiting unknown sites.
- Monitor download activity on company systems and networks, especially when employees typically work remotely or when sensitive data is received in email downloads.
- Use a secure web gateway to monitor all internet usage and block access to malicious websites that may carry malware.
- Watch out for watering hole attacks by watching for unusual traffic spikes in your web server logs.
Frequently Asked Questions about Watering Hole Attacks
What are the consequences of a watering hole attack?
The consequences of an attack can vary if the targeted organization is in your supply chain. If you’re a supplier, then the attackers may want to gain access to sensitive data or intellectual property. If you’re a customer, they could be trying to get access to your systems so that they can launch future attacks against your network. Even worse, if you fall within their direct competition, they could be using the malware installation as part of industrial espionage.
What is a watering hole?
The name comes from the idea of predators lurking in a watering hole, waiting for prey to come to them. Similarly, attackers use popular websites with known vulnerabilities as bait to lure members of their target organization so that they can exploit those systems using malware or spear phishing attacks.
Are all waterhole attacks with drive-by downloads?
There are many variations on how an attack might be carried out depending on the attacker’s objectives. Drive-by downloads are just one way that attackers try to get users to download malicious content onto victim machines.
What is a “drive-by” download?
A drive-by download occurs when users inadvertently download malicious code from a website, typically by clicking on a hyperlink within an email. Other examples of drive-by downloads include visiting compromised websites that have exploit code embedded in them or using infected USB devices plugged into your machine.
How is a watering hole attack different from spear phishing?
Spear phishing is a more targeted form of social engineering where attackers use personal information to make their attacks more believable. Spear phishing emails will appear to come from someone familiar, perhaps an executive or other senior staff member, and may also include attachments or links to trusted sites that the user has recently visited. Watering hole attacks are just one way that attackers can gain access to systems, but it’s becoming increasingly popular because the attacker doesn’t have to be as concerned about the target’s defences or end-user suspicion.
What information would an attacker be looking for at the watering hole?
The attackers will usually be looking for information that would give them the upper hand in future attacks against their target. This could include knowing which antivirus or security products are deployed, what software is used on the network, and what operating systems are most popular with your employees. The more they know about your organization, the easier it will be to craft their attacks.
What are the most common types of malware used in waterhole attacks?
There are many different variations to this type of attack, but the most common include trojans and drive-by downloads.
What makes a website more likely to be used as a watering hole?
Typically, attackers will choose popular websites that their targets visit often or that come highly recommended. The popularity of the site gives the attacker access to a large pool of potential victims for spear phishing and other attacks. Using trusted site recommendations from friends and colleagues carries more weight than other types of social engineering techniques.
How can you protect yourself against waterhole attacks?
The best protection is to be proactive rather than reactive because it’s almost impossible to detect these remote installations until they’re discovered on your network. Educating your employees about issues such as spear phishing is a must, and you should look at implementing a next-generation firewall to block drive-by downloads before the content is downloaded onto your users’ systems.